Analysis
-
max time kernel
26s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 20:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe
Resource
win7-20231025-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe
Resource
win10v2004-20231023-en
5 signatures
150 seconds
General
-
Target
NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe
-
Size
88KB
-
MD5
b48dc57cf2add016e8c28592e7ae4a40
-
SHA1
ab2e844001c043a5a7ee66469cf00f2da38257d3
-
SHA256
a0d19e38527e7ec077e2c8a1a6ad94f2a37991ee563298b18163cb98395f0241
-
SHA512
64777370adec61f83bff1d8f36687410482acb4b9de071a90ef0c1b4d529c6ce23b9637481596ca60f608872ab79366833b4889c854ceeae8e154d84e383aef3
-
SSDEEP
1536:f5nfmIpxDWbUfd3aOPmxxEhvgCooXqRQqjh+rmKVsN:f5fvp12UFKcD/6jwqWsN
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\38DA41D2 = "C:\\Users\\Admin\\AppData\\Roaming\\38DA41D2\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4212 winver.exe 4212 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4212 winver.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4712 wrote to memory of 4212 4712 NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe 87 PID 4712 wrote to memory of 4212 4712 NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe 87 PID 4712 wrote to memory of 4212 4712 NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe 87 PID 4712 wrote to memory of 4212 4712 NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe 87 PID 4212 wrote to memory of 3348 4212 winver.exe 58 PID 4212 wrote to memory of 2836 4212 winver.exe 65 PID 4212 wrote to memory of 2856 4212 winver.exe 64 PID 4212 wrote to memory of 2912 4212 winver.exe 63 PID 4212 wrote to memory of 3348 4212 winver.exe 58 PID 4212 wrote to memory of 3456 4212 winver.exe 57 PID 4212 wrote to memory of 3716 4212 winver.exe 56 PID 4212 wrote to memory of 3804 4212 winver.exe 55
Processes
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3804
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3456
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b48dc57cf2add016e8c28592e7ae4a40.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4212
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2856
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2836